Third countries are any countries outside the European Union and the European Economic Area for whom the GDPR does not constitute part of the legal system. Special provisions regarding data transfers apply to transfers to these countries. Such transfers are often restricted, depending on the country. International organizations are also affected by the same provisions affecting third countries.
Provisions in the GDPR
Even under the current legislative framework provided by the Data Protection Directive, there are restrictions regarding data transfers to third countries. Your company can transfer personal data to third countries only if an adequate level of data security and protection is guaranteed. The onus is upon EU companies to take the necessary precautions with regards to safe transfers. The GDPR further expands on those principles.
Chapter V of the GDPR pertains to “Transfers of personal data to third countries or international organisations”, outlying the basic principles, safeguards, rules and derogations. Transfers for the purposes of processing must comply in full with the provisions listed in Chapter V.
A mainstay in cross-border data transfers is the mandate of the European Commission to determine which countries and organizations ensure an adequate level of data protection, hence the name ‘adequacy decisions’.
The existing adequacy decisions made under the Data Protection Directive will remain in force. Transfers to Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay are currently allowed as these countries provide adequate levels of data protection under the DPD. The adequacy of the US, i.e. the EU-US Privacy Shield is subject to ongoing legal action and companies should keep close track on any new decisions, which could affect them greatly.
This means that data can flow freely between the EU and EEA member states to those countries without further safeguards (other than what is necessary for intra-EU data transfer, of course).
The adequacy findings of the European Commission are binding for all EU member states; there is no leeway allowed.
The European Commission takes various factors into account when assessing the adequacy of data protection in third countries. Firstly, it looks at the applicable legislation and the rule of law in the country. Respect for human rights and fundamental freedoms is assessed, as well as case law.
Conditions for Third Countries
Adequate third countries must have an effective independent supervisory authority that should ensure compliance with the data protection rules that are in place. It must also cooperate with the supervisory authorities in other member states. International agreements that the country has entered into are also examined, primarily the obligations resulting from those regarding the protection of personal data.
The GDPR allows the Commission to monitor these countries and reassess them if anything occurs that would affect the validity of an adequacy decision. If it does, then it must repeal or suspend the adequacy decision. A list of countries for which the decision has been suspended will be published in the Official Journal of the European Union.
Periodic reviews must take place at least every four years regardless of the circumstances, but may occur sooner, depending on the developments in each respective country. This could introduce uncertainty for companies relying on these decisions and could impede their long-term planning ability. The long term-effect of this provision remains to be seen.
Data transfers to third countries are also possible even in absence of appropriate adequacy decisions from the European Commission.
However, these transfers require the appropriate safeguards. Effective legal remedies must be ensured for data subjects (individuals) and their rights must be enforceable. There are various methods of data transfer, and the GDPR greatly expands upon those listed in the DPD while providing more oversight of such transfers. This is good news if your company relies on trusted subcontractors or partners from outside the EU.
Transfers for the public-sector organizations are rather easy. They are based on contracts or agreements between the public authorities in both countries, and an approval from the supervisory authority is not required.
Binding Corporate Rules
Corporations will most often make use of binding corporate rules for transfers of data outside the EU but to their own company branches or subsidiaries. The stipulations are listed in Article 47.
These rules must be binding for every subsidiary dealing with personal data within the group of undertakings, including their employees. You must notify the data subjects that you intend to transfer or process their data outside the EU.
The corporate rules should contain at least the following information:
- Contact structure and details of the group of enterprises
- What transfers are taking place, what processing will occur and why
- That they are legally binding
- That general data protection principles apply: data minimisation, purpose and storage limitation, protection by design and by default, protection of special categories and protections in case of third-party transfers.
- The rights of data subjects (individuals) and the means to exercise their rights
- The acceptance of liability by a controller based in the EU for any breaches that occur
- The manner in which these rules are presented to the data subjects
- The tasks of data protection officers and the existence of data protection training
- The complaint procedures
- The mechanisms for the verification of compliance, recording changes and reporting them to the supervisory authorities, as well as the cooperation with them
Contracts containing all of these items are more likely to be accepted by the supervisory authority. Once approved, no further approvals for data transfers are necessary. This makes them very interesting for multinational companies with multiple subsidiaries, or even smaller companies that do business with trusted partners.
Standard Data Protection Clauses
Standard data protection clauses come in two forms – clauses adopted by the Commission and clauses adopted by a supervisory authority and approved by the Commission. The former are also known as model clauses. These standard clauses, when adopted, ensure that an adequate level of data protection is in place and that cross-border data transfers may take place without further authorization by a supervisory authority.
These clauses may not be amended. Instead, details of the data controllers and recipients are inserted into the model clause. Some countries require these clauses to be submitted to the data protection authority regardless. Under the GDPR, this will not be necessary anymore.
The situation is similar with the supervisory authority clauses. These are a novelty since they do not exist in the current framework, however the purpose is much the same. The approval of the supervisory authorities is not required if such clauses are used. The Commission still has to approve these clauses, likely to ensure consistency among the supervisory authorities. The practical usability of these clauses, and to what extent they will co-exist with the Commission clauses is unknown, as of yet.
Unlike the pre-made and pre-approved clauses, clauses made ‘on-the-fly’ by the exporting and receiving parties may also be adequate, but they require explicit approval of the relevant supervisory authority for each such contract. That is why it may be more practical to ensure a pre-approved scheme is in place.
Codes of Conduct
The detailed provisions regarding codes of conduct can be found in Section 5 of the GDPR. The companies are encouraged to adopt their own codes of conduct that would help ensure proper compliance with the GDPR.
Once approved, these codes of conduct may serve as a basis for data transfers to third countries, provided the recipient entity that is not bound by the GDPR accepts to be bound by the approved codes of conduct. Such transfers do not require the approval of a supervisory authority, although the code of conduct itself must be approved beforehand. Valid codes of conduct must also contain mechanisms that allow the supervisory authority to monitor the compliance with its provisions.
Codes of conduct are therefore a very attractive option for cross-border data transfers, especially if the company has already put one into action.
The European Commission, the supervisory authorities and the Member States are obligated to encourage the formation of Union-wide certification schemes that serve to demonstrate compliance.
It is envisaged that such certificates, when obtained, will allow the company to transfer data to third countries without the need for further approval, as such certificates prove the existence of appropriate safeguards and measures.
As with codes of conduct, data recipients from third countries must be bound by the commitments and practices stipulated by the certification.
Article 48 mentions that any judgements from a court of a third country which requires disclosure of personal data is not recognized and cannot be enforced unless international treaties are in place, such as mutual legal assistance treaties.
The GDPR allows for personal data transfers to third countries to occur even if there are no adequacy decisions or appropriate safeguards in place, but only under certain circumstances.
Such transfers are allowed if:
- The exporter has obtained explicit consent from the data subject, who has been informed of the possible risks
- The transfer is necessary for the performance of a contract between the data subject and the controller, and especially if such transfer is in the interest of the data subject
- There are reasons of public interest, or for protection of vital interests of the private person if they are unable to consent
- The transfer is made from a public data register
Note that transfers can be made even if none of the derogations apply, but they must be very occasional, occur on a limited number of data subjects, contain only a portion of the personal data, and only if the legitimate interests of the controller override the rights of the data subject. All the circumstances must be assessed and the data subject must be informed of the transfer and the reasons for it.
Most of the data transfer provisions existing in the current Directive have been maintained in the GDPR, with the addition of a few new mechanisms. The takeaways are primarily the introduction of four-year audits of adequacy decisions and supervisory authority clauses, and certificate and code of conduct transfers.
The GDPR has been well-developed in this regard, so there should be little that is open to interpretation. Companies will like how most of data transfer will not need additional supervisory approval once the compliance mechanism has been put into place. However, we advise you to keep track of what countries are adequate and prepare contingency plans if their status is revoked. Pay particular attention to the EU-US situation if this is relevant to your business, as the situation in this regard is still unresolved.
If you feel there are no sound ways to circumvent the requirement to secure the data all around, well… you’re getting the point. Overall, the provisions of the GDPR regarding data transfers to third countries make sense and we expect most companies to voluntarily agree to these rules as the safeguards they prescribe is a sound practice in and of itself.